Skip to content

feat: add cert reload on SIGHUP #3041

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
racterub wants to merge 5 commits into
base: main
Choose a base branch
from
Open

feat: add cert reload on SIGHUP #3041

racterub wants to merge 5 commits into from

Conversation

@racterub
Copy link

@racterub racterub commented Jan 24, 2026
edited
Loading

Summary

This PR adds support for reloading TLS certificates when headscale receives a SIGHUP signal, enabling zero-downtime certificate rotation for deployments using manual TLS configuration.

Changes

  • TLS certificate reload on SIGHUP: When headscale receives SIGHUP, it now reloads TLS certificates from disk
    (in addition to existing ACL policy reload)
  • Thread-safe certificate access: Uses sync.RWMutex to protect certificate access during concurrent requests and
    reloads
  • Dynamic certificate serving: Switched from static Certificates slice to GetCertificate callback for runtime
    certificate updates

Tasks

  • have read the CONTRIBUTING.md file
  • raised a GitHub issue or discussed it on the projects chat beforehand
  • added unit tests
  • added integration tests
  • updated documentation if needed
  • updated CHANGELOG.md

Fixes #3027

Disclaimer: This PR is implemented full auto by Claude Code and reviewed by me.

@kradalby
Copy link
Collaborator

kradalby commented Feb 7, 2026

Without having had time to review, I think this seem reasonable, can you rebase it of main (there has been a lot of changes) and then I'll try to get to reviewing it?

racterub and others added 5 commits February 8, 2026 00:51
@racterub
feat: reload certificate on sighup reload
3f5eb08
@racterub
chore: refine log entry
c9a60ac
@racterub
chore: add tls test
480b0a3
@racterub @claude
test: add integration tests for TLS certificate reload on SIGHUP
df5814f 
Add two integration tests to verify the certificate reload functionality:
- TestTLSCertificateReloadOnSIGHUP: verifies certificate is reloaded
  after SIGHUP by checking NotBefore timestamp changes
- TestTLSCertificateReloadClientConnectivity: verifies clients remain
  connected and can ping each other after certificate rotation

Also adds Reload() method to ControlServer interface to expose SIGHUP
signal capability to integration tests.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@racterub
chore: update CHANGELOG.md
5132ecc
@racterub racterub force-pushed the feat/cert-reload-on-sighup branch from 649bdb3 to 5132ecc Compare February 7, 2026 16:52
@racterub
Copy link
Author

racterub commented Feb 7, 2026

Hey @kradalby , I just rebased main. please have a look.

Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@juanfont juanfont Awaiting requested review from juanfont juanfont is a code owner

@kradalby kradalby Awaiting requested review from kradalby kradalby is a code owner

@ohdearaugustin ohdearaugustin Awaiting requested review from ohdearaugustin ohdearaugustin is a code owner

@nblock nblock Awaiting requested review from nblock nblock is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Feature] Headscale TLS reload on SIGHUP

2 participants

@racterub @kradalby